...
Field | Description |
---|---|
ErrorCode | |
ExpiryDateMs | timestamp (in msec) at which this token expires.Unit is milliseconds sincebeginning of the epoch (midnight Jan 1, 1970 (UTC)). |
Possible Error Codes
Field | Description |
---|---|
ErrorCode | |
ExpiryDateMs | timestamp (in msec) at which this token expires. Unit is milliseconds since beginning of the epoch (midnight Jan 1, 1970 (UTC)). |
Possible Error Codes
* DelegationTokenDisabledException
...
Field | Description |
---|---|
HMAC | HMAC of the delegation token to be renewed |
ExpiryDateMs | timestamp (in msec) at which this token expires. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)). |
...
Field | Description |
---|---|
ErrorCode | |
ExpiryDateMs | timestamp (in msec) at which this token expires.Unit is milliseconds sincebeginning of the epoch (midnight Jan 1, 1970 (UTC)). |
Field | Description |
ErrorCode | |
ExpiryDateMs | timestamp (in msec) at which this token expires.Unit is milliseconds since beginning of the epoch (midnight Jan 1, 1970 (UTC)). |
Possible Error Codes
* DelegationTokenDisabledException
...
Code Block |
---|
DescribeTokenRequest => [Owner] Owner => String |
...
Field
...
Description
...
ErrorCode
...
Owner
...
Field | Description |
---|---|
ErrorCode | |
Owner | Kakfa Principal which requested the delegation token. If the Owner list is null (i.e., length is -1), the response contains all tokens from all owners |
...
Field | Description |
---|---|
Owner | Kakfa Principal which requested the delegation token |
IssueDateMs | timestamp (in msec) when this token was generated. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)). |
ExpiryDateMs | timestamp (in msec) at which this token expires. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)). |
TokenId | Sequence number to ensure uniqueness |
HMAC | Keyed-hash message authentication code |
Renewer | Renewers list |
Possible Error Codes
* DelegationTokenDisabledException
...
delegation.token.max.lifetime.ms : The token has a maximum lifetime beyond which it cannot be renewed any moreanymore. Default value 7 days.
delegation.token.expiry.time.ms : The token validity time in seconds before the token needs to be renewed. Default value 1 day.
delegation.token.master.key :masterKey/secret to generate and verify delegation tokens. This masterKey/secret needs secret needs to be configured with all the brokers. If the masterKey/secret is not set or set to empty string, brokers will disable the delegation token support.
...
The MasterKey/secret is used to generate and verify delegation tokens. This is supplied using config option. This secret needs to be configured with all the brokers. The current proposal does not support rotation of secret. If the secret is not set or set to empty string, brokers will disable the delegation token support. We require require a re-deployment when the secret needs to be rotated.
...
SCRAM is a suitable mechanism for authentication using delegation tokens. KIP-84 proposes to support SASL SCRAM mechanisms. Kafka clients can authenticate using SCRAM-SHA-256, providing the delegation token HMAC as password.
Server will look up the token from its token cache, if it finds a match and token is not expired it will authenticate the client and the identity will be established as the owner of the delegation token.
If the token is not matched or token is expired, broker throws appropriate exception back and does not allow the client to continue.
Token renewal
The (Admin/Delegation Token) client authenticates using Kerberos or any other available authentication scheme. A token can not be renewed if the initial authentication is done through delegation token, client must use a different auth scheme.
Client sends a request to renew a token with an optional renew life time which must be < max life time of token.
Broker looks up the token, if token is expired or if the renewer’s identity does not match with the token’s renewers, or if token renewal is beyond the Max life time of token, broker disallows the operation by throwing an appropriate exception.
If none of the above conditions are matched, broker updates token’s expiry. Note that the HMAC-SASM is unchanged so the token on client side is unchanged. Broker updates the expiration in its local cache and on zookeeper so other brokers also get notified and their cache statuses are updated as well.
Token expiration and cancellation
...